-
Notifications
You must be signed in to change notification settings - Fork 0
Risk Scoring
DataShield computes two independent risk scores, both in src/lib/risk.ts and
covered by src/lib/risk.test.ts:
- a company-wide posture score, and
- a per-employee score used to triage who is most at risk.
Both return an integer from 0 to 100, and every component caps the points it can contribute so no single signal alone pins the score at 100.
calculateRiskScore(...) blends three capped components:
| Component | Inputs | Max points |
|---|---|---|
| Exposure | compromisedEmployees / totalEmployees |
40 |
| Alerts | criticalAlerts*12 + highAlerts*6 + mediumAlerts*2 |
40 |
| Recency | recentBreaches*4 |
20 |
With no employees the score is 0.
employeeRiskScore(input, weights) scores one employee from their breach
records and open alerts. Inputs are derived by buildEmployeeRiskInput:
| Signal | Meaning |
|---|---|
recencyDays |
Days since the most recent detection, decaying to 0 over a 180-day window |
hasSessionArtifact |
A stealer-log COOKIE or TOKEN was captured (replayable session, bypasses MFA) |
hasCriticalData |
Exposed data includes password, credit card, SSN, bank account, or financial |
domainMatch |
The address is on the company domain |
openAlerts |
Open alerts for the employee (capped at 3) |
breachCount |
Number of breach records (capped at 5) |
An employee with no breach records scores 0.
Per-employee weights are tunable per company. The defaults
(DEFAULT_RISK_WEIGHTS):
| Weight | Default |
|---|---|
session |
30 |
recency |
25 |
criticalData |
20 |
domainMatch |
15 |
openAlerts |
10 |
breaches |
10 |
Overrides are stored on Company.riskWeights (JSON) and merged onto the
defaults by resolveRiskWeights, which keeps only finite, non-negative numbers
for known keys, so a malformed override can never produce a broken score. Edit
them via PATCH /api/company (riskWeights). Session artifacts carry the
heaviest default weight because a captured session token hands an attacker a
ready-to-replay login that MFA will not stop.
getRiskLevel(score) maps a score to a band for display:
| Score | Level |
|---|---|
| 76-100 | CRITICAL |
| 51-75 | HIGH |
| 26-50 | MEDIUM |
| 0-25 | LOW |
See Breach Scanning for where artifacts and exposed-data types come from, and MFA Coverage for the MFA signal.
DataShield is source-available software by Melvin PETIT (WhiteMuush). Work in progress, not production ready.
Getting started
Architecture
Features
- Breach Scanning
- Risk Scoring
- Directory Integrations
- MFA Coverage
- SCIM Provisioning
- Dashboard and Widgets
- Reports
- Exposure Register
Integrations
Reference
Contributing